“This works thanks to the role ‘@; plays in the
spec of URL,” Weizman wrote. “The purpose of ‘@’ in URLs is to pass username and password to visited domains in the following way:
https://USERNAME:PASSWORD@DOMAIN.COM. One can abuse this, as I just did, and replace the username and password with anything else: https://DOMAIN-A.COM@DOMAIN-B.com and it’ll still work. Firefox is the only browser that warns users, by default, In case this method is used without providing a username and password.”
It should be noted that newer versions of Google Chrome have protections against these kinds of JavaScript modifications, according to the research, while “other browsers such as Safari are still wide open to these vulnerabilities.”
After successfully exploiting CVE-2019-1842 and performing this code injection to achieve an open redirect, the researcher took it further, to spin the hack into a persistent XSS attack through trial and error. To do so he employed JavaScript URIs (a trick that only works on non-Chromium based browsers, it should be noted):
Weizman continued probing the vulnerability to eventually bypass WhatsApp’s Content Security Policy (CSP) rules to enhance the power of the persistent XSS, which he managed to do by using
Google’s CSP Evaluator. There, he discovered that the CSP lacked the object-src directive.
“Since object-src directive is missing [in the CSP], it means I can use object to load an iframe(ish) to any origin of my choice,” he wrote in the post. “That way I’ll be able to run any external code with no size limits and no problems.”
Weizman then showed how he executed malicious code on the web.whatsapp.com domain by using the XSS exploit to load the aforementioned iframe. That opens up the potential for RCE, he said.
“I then use the iframe to post a message to the top window with the content of the external code,” he explained. “The top window, where the XSS was executed, receives the message from the iframe, parses the external payload provided by it and executes it in its context (web.whatsapp.com). Win! External payload was successfully fetched and executed in the context of WhatsApp!”
The entire attack can be executed with one click from the user on the altered rich preview message.
Weizman stressed the importance of an app’s CSP rules, which could have prevented the vulnerability from being exploited in the first place.
“If the CSP rules were well configured, the power gained by this XSS would have been much smaller,” he wrote. “Being able to bypass the CSP configuration allows an attacker to steal valuable information from the victim, load external payloads easily, and much more!”
WhatsApp’s desktop platform certainly isn’t the only version of the popular messaging service to contain vulnerabilities. Last year alone, researchers found a number of flaws in the more widely used mobile app version of WhatsApp that have allowed for remote code execution, the delivery of spyware, and exposure of personal media files, among others.